artifactory - Fix for ClusterIP type service with external ingress of…

…floading (#1906)
jfrog · Oct 30, 2024 · 4762c96 · 4762c96
1 parent ad7a9fd
commit 4762c96
Show file tree

Hide file tree

Showing 2 changed files with 131 additions and 3 deletions.
diff --git a/stable/artifactory/CHANGELOG.md b/stable/artifactory/CHANGELOG.md
@@ -18,6 +18,7 @@ All changes to this chart will be documented in this file.
 * Updating the example link for downloading the DB driver
 * Added Binary Provider recommendations
 * Added `signedUrlExpirySeconds` option to artifactory.persistence.type of `google-storage`, `google-storage-v2`, and `google-storage-v2-direct`
+* Support for SSL offload HTTPS proto override in Nginx service(ClusterIP) layer. Introduced `nginx.service.ssloffloadForceHttps` field with boolean type.
 
 ## [107.89.0] - June 7, 2024
 * Fix the indentation of the commented-out sections in the values.yaml file
@@ -40,7 +41,7 @@ All changes to this chart will be documented in this file.
 * Added support for `global.verisons.initContainers` to override `initContainers.image.tag`
 * Fixed an issue with extraSystemYaml merge
 * **IMPORTANT**
-* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext` 
+* Renamed `artifactory.setSecurityContext` to `artifactory.podSecurityContext`
 * Renamed `artifactory.uid` to `artifactory.podSecurityContext.runAsUser`
 * Renamed `artifactory.gid` to `artifactory.podSecurityContext.runAsGroup` and `artifactory.podSecurityContext.fsGroup`
 * Renamed `artifactory.fsGroupChangePolicy` to `artifactory.podSecurityContext.fsGroupChangePolicy`
@@ -164,7 +165,7 @@ All changes to this chart will be documented in this file.
 ## [107.58.0] - Mar 23, 2023
 * Updated postgresql multi-arch tag version to `13.10.0-debian-11-r14`
 * Removed obselete remove-lost-found initContainer`
-* Added env JF_SHARED_NODE_HAENABLED under frontend when running in the container split mode 
+* Added env JF_SHARED_NODE_HAENABLED under frontend when running in the container split mode
 
 ## [107.57.0] - Mar 02, 2023
 * Updated initContainerImage and logger image to `ubi9/ubi-minimal:9.1.0.1793`
@@ -382,7 +383,7 @@ All changes to this chart will be documented in this file.
 
 ## [12.0.0] - April 22, 2021
 * **Breaking change:**
-* Increased default postgresql persistence  size to `200Gi` 
+* Increased default postgresql persistence  size to `200Gi`
 * Update postgresql tag version to `13.2.0-debian-10-r55`
 * Update postgresql chart version to `10.3.18` in chart.yaml - [10.x Upgrade Notes](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1000)
 * If this is a new deployment or you already use an external database (`postgresql.enabled=false`), these changes **do not affect you**!

diff --git a/stable/artifactory/values.yaml b/stable/artifactory/values.yaml
@@ -1464,6 +1464,131 @@ nginx:
   ## The nginx main conf was moved to files/nginx-main-conf.yaml. This key is commented out to keep support for the old configuration
   # mainConf: |
 
+      {{- if .Values.nginx.logs.stdout }}
+      access_log /dev/stdout timing;
+      {{- else -}}
+      access_log {{ .Values.nginx.persistence.mountPath }}/logs/access.log timing;
+      {{- end }}
+
+      sendfile        on;
+      #tcp_nopush     on;
+
+      keepalive_timeout  65;
+
+      #gzip  on;
+
+      include /etc/nginx/conf.d/*.conf;
+
+    }
+  artifactoryConf: |
+    {{- if .Values.nginx.https.enabled }}
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_certificate  {{ .Values.nginx.persistence.mountPath }}/ssl/tls.crt;
+    ssl_certificate_key  {{ .Values.nginx.persistence.mountPath }}/ssl/tls.key;
+    ssl_session_cache shared:SSL:1m;
+    ssl_prefer_server_ciphers   on;
+    {{- end }}
+    ## server configuration
+    server {
+    {{- if .Values.nginx.internalPortHttps }}
+      {{- if .Values.nginx.singleStackIPv6Cluster }}
+      listen [::]:{{ .Values.nginx.internalPortHttps }} ssl;
+      {{- else -}}
+      listen {{ .Values.nginx.internalPortHttps }} ssl;
+      {{- end }}
+    {{- else -}}
+      {{- if .Values.nginx.https.enabled }}
+      {{- if .Values.nginx.singleStackIPv6Cluster }}
+      listen [::]:{{ .Values.nginx.https.internalPort }} ssl;
+      {{- else -}}
+      listen {{ .Values.nginx.https.internalPort }} ssl;
+      {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.nginx.internalPortHttp }}
+      {{- if .Values.nginx.singleStackIPv6Cluster }}
+      listen [::]:{{ .Values.nginx.internalPortHttp }};
+      {{- else -}}
+      listen {{ .Values.nginx.internalPortHttp }};
+      {{- end }}
+    {{- else -}}
+      {{- if .Values.nginx.http.enabled }}
+      {{- if .Values.nginx.singleStackIPv6Cluster }}
+      listen [::]:{{ .Values.nginx.http.internalPort }};
+      {{- else -}}
+      listen {{ .Values.nginx.http.internalPort }};
+      {{- end }}
+      {{- end }}
+    {{- end }}
+      server_name ~(?<repo>.+)\.{{ include "artifactory.fullname" . }} {{ include "artifactory.fullname" . }}
+      {{- range .Values.ingress.hosts -}}
+        {{- if contains "." . -}}
+          {{ "" | indent 0 }} ~(?<repo>.+)\.{{ . }}
+        {{- end -}}
+      {{- end -}};
+
+      if ($http_x_forwarded_proto = '') {
+        set $http_x_forwarded_proto  $scheme;
+      }
+      set $host_port {{ .Values.nginx.https.externalPort }};
+      if ( $scheme = "http" ) {
+        set $host_port {{ .Values.nginx.http.externalPort }};
+      }
+      ## Application specific logs
+      ## access_log /var/log/nginx/artifactory-access.log timing;
+      ## error_log /var/log/nginx/artifactory-error.log;
+      rewrite ^/artifactory/?$ / redirect;
+      if ( $repo != "" ) {
+        rewrite ^/(v1|v2)/(.*) /artifactory/api/docker/$repo/$1/$2 break;
+      }
+      chunked_transfer_encoding on;
+      client_max_body_size 0;
+
+      location / {
+        proxy_read_timeout  900;
+        proxy_pass_header   Server;
+        proxy_cookie_path   ~*^/.* /;
+        proxy_pass          {{ include "artifactory.scheme" . }}://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalPort }}/;
+        {{- if .Values.nginx.service.ssloffload}}
+        {{- if .Values.nginx.service.ssloffloadForceHttps}}
+        proxy_set_header    X-JFrog-Override-Base-Url https://$host;
+        proxy_set_header    X-Forwarded-Proto https;
+        {{- else }}
+        proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host;
+        proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
+        {{- end }}
+        {{- else }}
+        proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$host_port;
+        proxy_set_header    X-Forwarded-Port  $server_port;
+        proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
+        {{- end }}
+        proxy_set_header    Host              $http_host;
+        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
+        {{- if .Values.nginx.disableProxyBuffering}}
+        proxy_http_version 1.1;
+        proxy_request_buffering off;
+        proxy_buffering off;
+        {{- end }}
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        location /artifactory/ {
+          if ( $request_uri ~ ^/artifactory/(.*)$ ) {
+            proxy_pass       http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/$1;
+          }
+          proxy_pass         http://{{ include "artifactory.fullname" . }}:{{ .Values.artifactory.externalArtifactoryPort }}/artifactory/;
+        }
+        location /pipelines/ {
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $http_host;
+          {{- if .Values.router.tlsEnabled }}
+          proxy_pass  https://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }};
+          {{- else }}
+          proxy_pass  http://{{ include "artifactory.fullname" . }}:{{ .Values.router.internalPort }};
+          {{- end }}
+        }
+      }
+    }
   ## The nginx artifactory conf was moved to files/nginx-artifactory-conf.yaml. This key is commented out to keep support for the old configuration
   # artifactoryConf: |
   customInitContainers: ""
@@ -1478,6 +1603,8 @@ nginx:
     ## For minikube, set this to NodePort, elsewhere use LoadBalancer
     type: LoadBalancer
     ssloffload: false
+    ## @param service.ssloffloadForceHttps Override http_x_forwarded_proto flag for external ingress (optional, likely OpenShift specific for ClusterIP based nginx service config)
+    ssloffloadForceHttps: false
     ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific)
     ## This can be either SingleStack, PreferDualStack or RequireDualStack
     ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services